Secure Programming Best Practices

Actionable security checklists organized by OWASP Top 10 (2021) categories. Each item links to the relevant OWASP Cheat Sheet for detailed guidance.

When you need more detail on a specific topic, fetch the linked cheat sheet URL.

How to Use

1. Identify which categories are relevant to the code being written or reviewed
2. Walk through the checklist items for those categories
3. Fetch the linked OWASP cheat sheet for every checklist item that could be relevant — do not rely solely on the checklist summaries here; load the full cheat sheet to get detailed, up-to-date guidance. When in doubt about relevance, fetch it.
4. For framework-specific guidance, see the Framework-Specific Security section and fetch the corresponding cheat sheet
5. Always include OWASP cheat sheet URLs in your output so the reader can follow up

Base URL for all cheat sheets: https://cheatsheetseries.owasp.org/cheatsheets/

A01: Broken Access Control

• Deny access by default; require explicit grants (Access Control)
• Enforce authorization server-side; never rely on client-side checks (Authorization)
• Use indirect object references or validate ownership before returning resources (IDOR Prevention)
• Apply rate limiting and account lockout to prevent brute-force
• Log all access control failures and alert on repeated attempts
• Invalidate sessions and tokens on logout and password change (Session Management)
• Validate CORS configuration; avoid Access-Control-Allow-Origin: * for authenticated endpoints (HTTP Headers)
• For multi-tenant systems, enforce tenant isolation at every data access layer (Multi-Tenant Security)

A02: Cryptographic Failures

• Use TLS 1.2+ for all data in transit; disable older protocols (TLS)
• Enable HSTS with includeSubDomains and adequate max-age (HSTS)
• Use strong, modern algorithms (AES-256-GCM, ChaCha20-Poly1305); avoid DES, RC4, MD5, SHA-1 (Cryptographic Storage)
• Store passwords with Argon2id, bcrypt, or scrypt — never plain hashes (Password Storage)
• Manage secrets through a vault or environment variables; never hardcode (Secrets Management)
• Rotate keys on a defined schedule; support key versioning (Key Management)

A03: Injection

• Validate all input: type, length, range, format; use allowlists over denylists (Input Validation)
• Use parameterized queries or prepared statements for all SQL (SQL Injection Prevention, Query Parameterization)
• Context-escape all output: HTML-encode for HTML, JS-encode for JavaScript, URL-encode for URLs (XSS Prevention, DOM-based XSS Prevention)
• Avoid OS command execution; if unavoidable, use strict allowlists and no shell interpolation (OS Command Injection Defense)
• Sanitize LDAP input using established escape functions (LDAP Injection Prevention)
• Deploy Content Security Policy to mitigate XSS impact (CSP)
• Prevent DOM clobbering by avoiding document.getElementById on user-controllable IDs (DOM Clobbering Prevention)
• Guard against prototype pollution in JavaScript by freezing prototypes or using Object.create(null) (Prototype Pollution Prevention)

A04: Insecure Design

• Perform threat modeling early in the design phase (Threat Modeling)
• Identify and document abuse cases alongside use cases (Abuse Case)
• Analyze and minimize the attack surface for each feature (Attack Surface Analysis)
• Follow secure product design principles: least privilege, defense in depth, fail secure (Secure Product Design)

A05: Security Misconfiguration

• Disable unnecessary features, ports, services, and default accounts
• Harden Docker containers: non-root user, read-only filesystem, minimal base image (Docker Security)
• Apply Kubernetes security best practices: pod security policies, network policies, RBAC (Kubernetes Security)
• Scan IaC templates for misconfigurations before deployment (IaC Security)
• Disable XML external entity processing in all XML parsers (XXE Prevention)
• Set security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, etc. (HTTP Headers)
• Secure CI/CD pipelines: least-privilege tokens, signed artifacts, audit logs (CI/CD Security)

A06: Vulnerable and Outdated Components

• Maintain an inventory of all dependencies and their versions (Dependency Graph / SBOM)
• Continuously scan dependencies for known vulnerabilities (Vulnerable Dependency Management)
• Audit third-party JavaScript for integrity and behavior (Third Party JS Management)
• Use lockfiles and verify package integrity hashes (NPM Security)
• Review supply chain security practices for critical dependencies (Software Supply Chain Security)

A07: Identification and Authentication Failures

• Enforce minimum password complexity and check against breached password lists (Authentication)
• Implement MFA for privileged and sensitive operations (MFA)
• Generate session IDs server-side with high entropy; regenerate after authentication (Session Management)
• Secure password reset flows: time-limited tokens, side-channel verification (Forgot Password)
• Prevent credential stuffing with rate limiting, CAPTCHA, and device fingerprinting (Credential Stuffing Prevention)
• Implement OAuth 2.0 with PKCE for public clients (OAuth 2.0)
• Set cookie attributes: Secure, HttpOnly, SameSite, proper Path and Domain (Cookie Theft Mitigation)

A08: Software and Data Integrity Failures

• Never deserialize untrusted data; if required, validate schema and use safe libraries (Deserialization)
• Protect against mass assignment: explicitly allowlist assignable fields (Mass Assignment)
• Validate file uploads: check type via magic bytes (not just extension or Content-Type header), enforce size limits, and re-encode/re-process content to strip metadata and neutralize polyglots. Store outside webroot with random names. Explicitly reject dangerous types: SVG (can contain embedded JavaScript), HTML, executable files (.exe, .sh, .bat), and server-side scripts (.php, .jsp). (File Upload)
• Verify integrity of software artifacts with checksums and signatures

A09: Security Logging and Monitoring Failures

• Log authentication events, access control failures, input validation failures, and application errors (Logging)
• Use consistent log format and vocabulary for automated analysis (Logging Vocabulary)
• Never log sensitive data: passwords, tokens, PII, credit card numbers
• Return generic error messages to users; log detailed errors server-side (Error Handling)
• Set up alerts for anomalous patterns: brute force, privilege escalation, unusual data access

A10: Server-Side Request Forgery (SSRF)

• Validate and sanitize all user-supplied URLs (SSRF Prevention)
• Use allowlists for permitted domains and protocols
• Block requests to internal/private IP ranges (127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, etc.)
• Disable unnecessary URL schemes (file://, gopher://, ftp://)
• Run server-side HTTP clients in network-restricted environments when possible

API Security

• Authenticate and authorize every API request (REST Security)
• Validate request content types and reject unexpected media types
• Apply rate limiting and request size limits
• For GraphQL: limit query depth and complexity; disable introspection in production (GraphQL)
• For gRPC: use TLS, validate protobuf messages, implement interceptor-based auth (gRPC Security)
• For WebSockets: validate origin, authenticate the handshake, validate all messages (WebSocket Security)
• Prevent CSRF with synchronizer tokens or SameSite cookies (CSRF Prevention)
• Validate redirect URLs against an allowlist (Unvalidated Redirects)

AI and LLM Security

• Validate and sanitize all LLM inputs and outputs (LLM Prompt Injection Prevention)
• Apply least privilege to AI agent tool access and actions (AI Agent Security)
• Secure model serving infrastructure: access controls, input limits, monitoring (Secure AI Model Ops)

Framework-Specific Security

When working with a specific framework, consult the relevant cheat sheet for framework-specific pitfalls and mitigations:

Additional References

For topics not covered above, browse the full index: OWASP Cheat Sheet Series Index